In the screenshot from link above you can see the code to the gate / redirect to the exploit kit. This is what we will start with here. This is packet 35.

After extracting the code from the infected page this is the full script. You will have to zoom to get a better look.

Don’t worry we will be taking a closer look at each section.

If we look at the top section of the code we see this.

Here we see an encoded section of text that will get decoded after going thru the rest of the sections getting decoded.

Next we have this large section of “var” and these will be built for later replacements in the functions below.

Looking at the green highlighted variables we can first see that it is declared with “var’ then it is tacking on each element as it get evaluated.

As we can see here we start out our first letters as “fu”.

The first few times I did this I did it all by hand, all of the math and all of the hex to char code conversions. After that was when I started developing tools to deal with this obfuscation.

In this screenshot what I chose to do, still being new to this, was to save the “var’s” to a file and import them into the “Get Vars” program. What this will do is search thru the lines of vars and get a unique list of variable names. I first select a variable name from the dropdown list and the click the “Get Var Val” button to get the associated variables that get added together.

Do to the complexity at the time I chose to split the decode function out to another program. So in the “Script Decode 2” we can see what those variables evaluate to. After doing several of these I had verified we didn’t need to decode this section every time so I did not put this all into 1 program.

So from here we continue on down the line and do all of the decoding for each variable name and if you see the counter next to the names there are 59 unique variable names. So this will still take some time to do all of the decoding and replacements.

After doing all of the reassembling we end up with a variable list like this.

The next step is to do the variable replacements in the functions below.

After doing the replacements It is still not real clear what it is doing.

It will first check the browser being used and pass a parameter of “2” if it is IE.

If it is IE then from the “div” above, it will get the data to decode and a decoding Key.

And formatted a little better.

In order to build this tool I did have to step thru the code several times in the IE debugger to fully understand how it worked.

Looking at several samples even though some math parameters in the final decode function changed they always work out to the same end value after they were evaluated so I could build a static decoder now with just the Key value and the encoded string.

And here is what my final decode function looked like in VB dot Net.

This is still somewhat complicated. The “IeIdx” = 2 here if you want to do the math.

The one thing about these “Kits / Builders” is even though the variables may change, the underlying decoded function stayed the same. This particular encoding has not been used since some time before Angler EK disappeared.

As complicated as this is I would have only have been able to show it quickly and what it looked like decoded in a 30 minuet talk.

The next Post was going to be the landing page but I’ve already written on that so will just add the link to it here so as not to repeat what I’ve done already.

Like this:

LikeLoading...

Related

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair.
Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.